1373421 – [gssproxy] Unspecified GSS failure occurs when mount with krb5

RHEL Engineering is moving the tracking of its product development work on RHEL 6 through RHEL 9 to Red Hat Jira (issues.redhat.com). If you're a Red Hat customer, please continue to file support cases via the Red Hat customer portal. If you're not, please head to the "RHEL project" in Red Hat Jira and file new tickets here. Individual Bugzilla bugs in the statuses "NEW", "ASSIGNED", and "POST" are being migrated throughout September 2023. Bugs of Red Hat partners with an assigned Engineering Partner Manager (EPM) are migrated in late September as per pre-agreed dates. Bugs against components "kernel", "kernel-rt", and "kpatch" are only migrated if still in "NEW" or "ASSIGNED". If you cannot log in to RH Jira, please consult article #7032570. That failing, please send an e-mail to the RH Jira admins at rh-issues@redhat.com to troubleshoot your issue as a user management inquiry. The email creates a ServiceNow ticket with Red Hat. Individual Bugzilla bugs that are migrated will be moved to status "CLOSED", resolution "MIGRATED", and set with "MigratedToJIRA" in "Keywords". The link to the successor Jira issue will be found under "Links", have a little "two-footprint" icon next to it, and direct you to the "RHEL project" in Red Hat Jira (issue links are of type "https://issues.redhat.com/browse/RHEL-XXXX", where "X" is a digit). This same link will be available in a blue banner at the top of the page informing you that that bug has been migrated.

Bug 1373421 - [gssproxy] Unspecified GSS failure occurs when mount with krb5

Summary: [gssproxy] Unspecified GSS failure occurs when mount with krb5

Keywords:
Status:	CLOSED ERRATA
Alias:	None
Product:	Red Hat Enterprise Linux 7
Classification:	Red Hat
Component:	gssproxy
Sub Component:
Version:	7.3
Hardware:	Unspecified
OS:	Linux
Priority:	unspecified
Severity:	medium
Target Milestone:	rc
Target Release:	---
Assignee:	Robbie Harwood
QA Contact:	Kaleem
Docs Contact:
URL:	https://pagure.io/gssproxy/pull-reque...
Whiteboard:
Depends On:
Blocks:	1759665 1788833
TreeView+	depends on / blocked

Reported:	2016-09-06 08:58 UTC by ChunYu Wang
Modified:	2023-03-24 13:42 UTC (History)
CC List:	9 users (show)
Fixed In Version:	gssproxy-0.7.0-29.el7
Doc Type:	No Doc Update
Doc Text:
Clone Of:
Clones:	1759665 (view as bug list)
Environment:
Last Closed:	2020-09-29 20:08:59 UTC
Target Upstream Version:
Embargoed:

Attachments	(Terms of Use)

Links
System	ID	Private	Priority	Status	Summary	Last Updated
Red Hat Product Errata	RHBA-2020:3961	0	None	None	None	2020-09-29 20:09:03 UTC

Description ChunYu Wang 2016-09-06 08:58:25 UTC

Description of problem:

When trying to mount an NFS export with kerberos-5 security enabled, the gssproxy returns warning every time but not avoiding the normal functions.

The warnings are all like:

(OID: { 1 2 840 113554 1 2 2 }) Unspecified GSS failure.  Minor code may provide more information, No credentials cache found

With checking further information, the serial number 1 2 840 113554 1 2 2 is pointing to the mechanism of gss on kerberos. If it is functioning right, there may not appear that kind of warnings.

Version-Release number of selected component (if applicable):

    gssproxy-0.4.1-10.el7.x86_64
    nfs-utils-1.3.0-0.33.el7.x86_64   
    kernel-3.10.0-495.el7.x86_64
    RHEL 7.3 Beta (Maipo)

How reproducible:

100%

Steps to Reproduce:
1. Configure a sever and a client with Kerberos
2. Export a dir from the server and mount it on the client(NFS, sec=krb5)
3. When the mounting process is complete check the /var/log/message there appears a group of Warnings.

Actual results:
[root@ibm-x3550m4-02 ~]# systemctl restart gssproxy
[root@ibm-x3550m4-02 ~]# systemctl status gssproxy -l
● gssproxy.service - GSSAPI Proxy Daemon
   Loaded: loaded (/usr/lib/systemd/system/gssproxy.service; disabled; vendor preset: disabled)
   Active: active (running) since Tue 2016-09-06 01:46:36 EDT; 2s ago
  Process: 28913 ExecStart=/usr/sbin/gssproxy -D (code=exited, status=0/SUCCESS)
 Main PID: 28914 (gssproxy)
   CGroup: /system.slice/gssproxy.service
           └─28914 /usr/sbin/gssproxy -D
 
Sep 06 01:46:36 ibm-x3550m4-02.rhts.eng.pek2.redhat.com systemd[1]: Starting GSSAPI Proxy Daemon...
Sep 06 01:46:36 ibm-x3550m4-02.rhts.eng.pek2.redhat.com systemd[1]: Started GSSAPI Proxy Daemon.
[root@ibm-x3550m4-02 ~]# mount -o sec=krb5 $HOSTNAME:/export_test/ /mnt/mnt_test/
[root@ibm-x3550m4-02 ~]# umount /mnt/mnt_test/
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ mount/umount with kerberos
[root@ibm-x3550m4-02 ~]# systemctl status gssproxy -l
● gssproxy.service - GSSAPI Proxy Daemon
   Loaded: loaded (/usr/lib/systemd/system/gssproxy.service; disabled; vendor preset: disabled)
   Active: active (running) since Tue 2016-09-06 01:46:36 EDT; 17s ago
  Process: 28913 ExecStart=/usr/sbin/gssproxy -D (code=exited, status=0/SUCCESS)
 Main PID: 28914 (gssproxy)
   CGroup: /system.slice/gssproxy.service
           └─28914 /usr/sbin/gssproxy -D
 
Sep 06 01:46:36 ibm-x3550m4-02.rhts.eng.pek2.redhat.com systemd[1]: Starting GSSAPI Proxy Daemon...
Sep 06 01:46:36 ibm-x3550m4-02.rhts.eng.pek2.redhat.com systemd[1]: Started GSSAPI Proxy Daemon.
Sep 06 01:46:49 ibm-x3550m4-02.rhts.eng.pek2.redhat.com gssproxy[28914]: (OID: { 1 2 840 113554 1 2 2 }) Unspecified GSS failure.  Minor code may provide more information, No credentials cache found
Sep 06 01:46:49 ibm-x3550m4-02.rhts.eng.pek2.redhat.com gssproxy[28913]: gssproxy[28914]: (OID: { 1 2 840 113554 1 2 2 }) Unspecified GSS failure.  Minor code may provide more information, No credentials cache found
Sep 06 01:46:49 ibm-x3550m4-02.rhts.eng.pek2.redhat.com gssproxy[28914]: (OID: { 1 2 840 113554 1 2 2 }) Unspecified GSS failure.  Minor code may provide more information, No credentials cache found
Sep 06 01:46:49 ibm-x3550m4-02.rhts.eng.pek2.redhat.com gssproxy[28913]: gssproxy[28914]: (OID: { 1 2 840 113554 1 2 2 }) Unspecified GSS failure.  Minor code may provide more information, No credentials cache found
Sep 06 01:46:49 ibm-x3550m4-02.rhts.eng.pek2.redhat.com gssproxy[28913]: gssproxy[28914]: (OID: { 1 2 840 113554 1 2 2 }) Unspecified GSS failure.  Minor code may provide more information, No credentials cache found
Sep 06 01:46:49 ibm-x3550m4-02.rhts.eng.pek2.redhat.com gssproxy[28914]: (OID: { 1 2 840 113554 1 2 2 }) Unspecified GSS failure.  Minor code may provide more information, No credentials cache found
^^^^^^^^^^^^^^^^^^^^^^^^^^ the warning looks similar with bug 1266564 comment 2
[root@ibm-x3550m4-02 ~]# journalctl -ab -u rpc-gssd -u gssproxy -o cat
Starting GSSAPI Proxy Daemon...
Started GSSAPI Proxy Daemon.
Starting RPC security service for NFS client and server...
Started RPC security service for NFS client and server.
rpc-gssd.service: main process exited, code=killed, status=11/SEGV
Unit rpc-gssd.service entered failed state.
rpc-gssd.service failed.
Starting RPC security service for NFS client and server...
Started RPC security service for NFS client and server.
gssproxy[793]: (OID: { 1 2 840 113554 1 2 2 }) Unspecified GSS failure.  Minor code may provide more information, No credentials cache found
(OID: { 1 2 840 113554 1 2 2 }) Unspecified GSS failure.  Minor code may provide more information, No credentials cache found
mmap: Invalid argument
(OID: { 1 2 840 113554 1 2 2 }) Unspecified GSS failure.  Minor code may provide more information, No credentials cache found
gssproxy[793]: (OID: { 1 2 840 113554 1 2 2 }) Unspecified GSS failure.  Minor code may provide more information, No credentials cache found
Stopping GSSAPI Proxy Daemon...
Starting GSSAPI Proxy Daemon...
Started GSSAPI Proxy Daemon.
(OID: { 1 2 840 113554 1 2 2 }) Unspecified GSS failure.  Minor code may provide more information, No credentials cache found
gssproxy[28914]: (OID: { 1 2 840 113554 1 2 2 }) Unspecified GSS failure.  Minor code may provide more information, No credentials cache found
(OID: { 1 2 840 113554 1 2 2 }) Unspecified GSS failure.  Minor code may provide more information, No credentials cache found
gssproxy[28914]: (OID: { 1 2 840 113554 1 2 2 }) Unspecified GSS failure.  Minor code may provide more information, No credentials cache found
gssproxy[28914]: (OID: { 1 2 840 113554 1 2 2 }) Unspecified GSS failure.  Minor code may provide more information, No credentials cache found
(OID: { 1 2 840 113554 1 2 2 }) Unspecified GSS failure.  Minor code may provide more information, No credentials cache found
[root@ibm-x3550m4-02 ~]#
[root@ibm-x3550m4-02 ~]# rpm -q gssproxy
gssproxy-0.4.1-10.el7.x86_64
[root@ibm-x3550m4-02 ~]# rpm -q nfs-utils
nfs-utils-1.3.0-0.33.el7.x86_64
[root@ibm-x3550m4-02 ~]# rpm -q kernel
kernel-3.10.0-500.el7.x86_64
[root@ibm-x3550m4-02 ~]# cat /etc/redhat-release
Red Hat Enterprise Linux Server release 7.3 Beta (Maipo)
[root@ibm-x3550m4-02 ~]# 

Expected results:
If it is functioning right, there may not appear that kind of warnings.

Additional info:

For learning the meanings of the OID: { 1 2 840 113554 1 2 2 }, I refer to this page:
https://www.ibm.com/support/knowledgecenter/SSLTBW_1.13.0/com.ibm.zos.r13.euvfb00/objid.htm

Comment 1 Robbie Harwood 2016-09-07 17:54:55 UTC

My apologies, I'm having trouble understanding this bug report.  Please correct me if either of these are incorrect:

- Nothing is broken (NFS with krb5 security appears to a user to be functioning correctly)
- Warnings are generated in the gssproxy logs

Assuming those are both correct: NFS (and many other applications) make calls into GSSAPI that can "fail" in the sense that they return an error code, but this failure code is "expected" in the sense that the application alters its behavior accordingly and keeps going.  However, there is no mechanism to tell gssproxy that these calls can fail, so it logs warnings about them as it does on any failed call.

Comment 2 ChunYu Wang 2016-09-08 02:37:15 UTC

(In reply to Robbie Harwood from comment #1)

Hi, Robbie,

- Nothing is broken, the NFS function based on krb5 are as normal
- The warnings could be found at many places, and if I run rpc.gssd -vvvvvvf in other terminal. It just prints some information as this printerr of this function


gssd_inotify_clnt(struct topdir *tdi, struct clnt_info *clp, const struct inotify_event *ev)
{
	printerr(5, "inotify event for clntdir (%s) - "
		 "ev->wd (%d) ev->name (%s) ev->mask (0x%08x)\n",
		 clp->relpath, ev->wd, ev->len > 0 ? ev->name : "<?>", ev->mask);
...
}

I found this information here
[http://www.spinics.net/lists/linux-nfs/msg48184.html]

Comment 15 Sergey Orlov 2020-04-17 11:47:25 UTC

Fix verified for RHEL 7.9, compose RHEL-7.9-20200407.0

ipa-server-4.6.8-1.el7.x86_64

Using upstream automated test:
test_integration/test_nfs.py::TestNFS::test_prepare_users PASSED         [ 25%]
test_integration/test_nfs.py::TestNFS::test_krb5_nfsd PASSED             [ 50%]
test_integration/test_nfs.py::TestNFS::test_krb5_nfs_manual_configuration PASSED [ 75%]
test_integration/test_nfs.py::TestNFS::test_automount PASSED             [100%]

Comment 17 errata-xmlrpc 2020-09-29 20:08:59 UTC

Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory (gssproxy bug fix and enhancement update), and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHBA-2020:3961

Note You need to log in before you can comment on or make changes to this bug.